Cybersecurity: Good Enough For Government Work Is Not Good Enough

Notwithstanding all of the tough talk about defeating “the enemy” and terrorism, when it comes to Cybersecurity, unfortunately, the expression “good enough for government work” comes to mind. Indeed, a recent report released by the National Association of State Chief Information Officers (NASCIO) somewhat chastises the Department of Homeland Security for not coordinating better with state and local authorities when it comes to combating cyberthreats.

Let's begin this discussion with a basic premise - the federal government is suppose to help protect state and local authorities combat terrorism. Section 7(c) of the Homeland Security Presidential Directive (HSPD) enunciates that “it is the policy of the United States to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts that could . . . undermine State and local government capacities to maintain order and to deliver minimum essential public services.” (Emphasis added). And Section 15 of the HSPD designates “emergency services,” the majority of which are provided by state and local authorities, as included among the most “critical infrastructure sectors.”

With this premise in mind, the NASCIO's Information Security Committee, conducted a survey of strategic Cybersecurity issues with the goal of assessing the nature of the relationship between state and local authorities with the programs and resources provided by the Department of Homeland Security. The Committee concluded that much more needs to be done by the Department of Homeland Security to assist state and local governments.

First, state and local governments “would gladly accept” a “closer relationship” with the Department of Homeland Security, rather than “the more detached, private-sector based approach that is in place.”

Second, it is recommended that a Cybersecurity assessment component be added to the current State Homeland Security Assessment and Strategy process to ensure that Cybersecurity is adequately addressed for state and local sectors. This would help, even if Cybersecurity efforts are not funded to the levels desired by state and local authorities.

Third, there should be the development of and promulgation of best practices, consistent methodologies and tools, as well as risk assessments, continuity of operations planning, and training for state and local governments.

Fourth, the Department of Homeland Security, as a direct provider of alerting services, needs to cure its reputation for lack of timeliness. In fact, “more emphasis needs to be placed on external-directed attacks, and internal ineptitude and maliciousness,” according to the report. There needs to be “better coordination and allocation of effort among the multiple entities with a stake in the game, so to speak.”

Fifth and finally, further academic programs and educational opportunities need to be made available to state and local players.

To the extent Cybersecurity is a real issue, then the left hand plainly needs to know what the right hand is doing, and both hands need to be working together. Let's hope that best efforts are made by the Department of Homeland Security in reaching out to and assisting state and local authorities in safeguarding the Internet.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is (www.sinrodlaw.com), and he can be reached at ejsinrod@duanemorris.com. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to ejsinrod@duanemorris.com. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.